Should Ex-SF network admin have been convicted of a felony?

Terry Childs, a former San Francisco network admin, was convicted for withholding passwords to the city's FiberWAN. Do you agree with the verdict?

Terry Childs, a former network administrator for the city of San Francisco, was convicted Tuesday of a single felony charge of denying computer services.

Childs had worked at the city's Department of Telecommunication Information Services (DTIS) and was the main engineer and administrator of the city's FiberWAN, which according to the San Francisco Chronicle "maintains about 60 percent of the city's law enforcement, payroll, and jail-booking records." In July 2008, Childs' was arrested after refusing to turn over FiberWAN passwords to city officials.

During the 6-month trial, prosecutors argued that Childs was worried about being let go from his job and wanted to make himself indispensible. The defense countered that Childs refused to turn over the passwords because the individuals requesting them lacked the appropriate authorization. In an IDG News Service article, Robert McMillan described a conference call with Cisco engineers where Childs was in a room with Richard Robinson (Chief Operating Officer of DTIS), an HR person, and a police detective. According to McMillan, Childs was asked to hand over the passwords during this meeting, but instead turned over "bogus" ones.

Even after his arrest, Childs refused to surrender the passwords to DTIS personnel. After 12 days, San Francisco Mayor Gavin Newsom visited Childs in jail and was able to get the passwords.

Understanding the verdict and a juror's description

In November 2008, I wrote about the case after a few TechRepublic members took me to task for describing Childs' actions as "hijacking" during the introduction for my TR Dojo video, "Five ways to keep your own IT staff from stealing company secrets." In my response I asserted that "Childs' act of holding the group names and passwords from their legitimate owners (senior DTIS officials) amounts to seizing the network by threat of force-one definition of the word "hijack"."

From what I've read of the case (including juror comments made after the trial), lack of adequate network administration policies and bad management by DTIS officials contributed to the situation. But, the fact remains that the jury, who weren't unsympathetic to Childs' situation, had to apply the law.

According to California Penal Code Section 502(c)(5) any person who "knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network" is guilty of a public offense. There is an allowance in the law for acts committed within the scope of a person's "lawful employment."

In an interview with IDG, Jason Chilton, Juror #4 and a CCIE and senior network engineer for ADP, summed up the decision:

Essentially, one of his [Childs'] job duties was to allow the network to be maintained. So when he went into that meeting on July 9th, he was told he was being reassigned, therefore he was not going to be working on the FiberWAN any more. Somebody has to get access, and he refused to provide that. So he's leaving this very critical network in the city's hands, but saying that nobody can maintain it.

Also telling is Chilton's description of the meeting where Childs was asked to turn over the FiberWAN passwords:

I think he went into that meeting probably thinking he was being fired. ... And I think he left that meeting honestly thinking, "OK, they're going to try to get into this network and they're not going to be able to." He even sent an email the next day, saying, "I know you all are trying to figure out how I can get into this network." So he knew nobody else could get in, and I think he had the assumption that they would say, "We need you back to maintain this network." And that obviously did not happen.

About Bill Detwiler

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

Disclosure

Bill Detwiler has nothing to disclose. He doesn't hold investments in the technology companies he covers.

Full Bio

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop support specialist in the social research and energy industries. He has bachelor's and master's degrees from the University of Louisville, where he has also lectured on computer crime and crime prevention.

How many jurors were Network Experts? Who were the experts in this case? I think he was tried and convicted in the press long before the trial. I find it doubious that so many times when reporters ask about crimes they are told "there is an ongoing investigation so we can not comment" yet others are tried, convicted and sentenced long before they get their day in court. BTW someones personality has nothing to do with their guilt or innocence!

STATE NEEDS TO AUDIT THE CITY. STATE COULD GIVE THEM A NEW BREATHING HOLE TO SIT ON IF THEY'RE OUT OF COMPLIANCE.
THE CITY MAY OR MAY NOT BE FOLLOWING GOVERNANCE AND TECHNOLOGY STANDARDS.
MORE THAN LIKELY NOT)
ROUTINE AUDITING CAN AND WOULD HAVE PREVENTED THE SCALE OF ESCALATION IN THIS SITUATION.
GENERALLY SPEAKING, SENIOR MANAGEMENT EXECUTIVES, OFFICIALS AND ESPECIALLY POLITICIANS ARE OBLIVIOUS/CLUELESS REGARDING TECHNOLOGY... RATHER THEY ARE SKIDDISH/PARANOID OF THE CAPABILITIES OF THOSE WHO UNDERSTAND IT. OF THOSE WHO ARE CONSIDERED A THREAT, IS IT A TACTIC TO TAINT YOUR OPPONENT THAN DEAL WITH INADEQUACY?
THE GUN IS STILL SMOKING. WE KNOW WHERE THE BULLET LANDED; WE KNOW WHO PULLED THE TRIGGER. WE DON'T KNOW EXACTLY WHY THE TRIGGER WAS PULLED....
I BELIEVE IN GOVERNMENT BUT I DO NOT HOLD CONFIDENCE IN THOSE IN POWER WHO ABUSE THEIR AUTHORITIES. ABUSERS SHOULD BE HELD ACCOUNTABLE.
ONE CAN ONLY SPECULATE OF POSSIBILITIES; MAYBE THEY PULLED THIS TRIGGER BECAUSE BECAUSE THERE'S A PANDORAIAN BOX WAITING TO BE OPENED.

I said yes, but the real question for me was why was this situation allowed to go as far as it did? Yes, once in the courts, he was guilty.
But management was more guilty! And there is no option to make them pay for his mistakes.
(sigh)

This entire ridiculous situation was generated by the city of SF and its lack of policies.
As even the juror#4 says in the end of his interview:
...
IDGNS: Do you think he's a trustworthy person?
Chilton: I think for the most part, yes. If he's given clearly defined rules, he could be. I think he's also very stubborn and a little egotistical.
...
It is my opinion that juror#4 - using his credentials (?) - convinced the rest of the jurors that Childs is guilty, without the least try to judge the law in this particular matter, but by applying the exact law.
The fact is that juror#4 convicted Childs for: (1) the lack of "clear rules" - which is the city's fault, (2) being "very stubborn and a little egotistical", and (3) because it was his (juror's) opportunity to escape his blunt existence and have his moment under lights.
Yessssss! This is real ground for sending one 5 years behind bars.
I really wish juror#4 - and all who consider that Childs is guilty of such a crime and deserves 5 years in prison -, the same fate.
Anyway, the only wrong-doing I find for Childs, is the lack of documentation. He should have documented like hell every discussion he had with his pointy-haired bosses. But, ultimately, he is just another engineer trapped in the world of glamorous words used by the crooked politicians and lawyers. Who else is running the city of SF - or any other city?

I have worked with many "IT" people in the past just like this. They need to remember that they are being HIRED(employed) to perform a specific task for a company or organization. The company or organization either owns directly or pays for the lease of the infrastructure that they are working on. ALL data within the infrastructure are the property of the company or organization, not the Network Admin. There was a time when an Admin could successfully hold hostage the data and access, however in computer years, those days are long over. It is usually the ones not doing their job to a satisfactory level in the first place who end up trying to keep their jobs in this manner.

While I feel that Terry Childs was wrong to not release the subject passwords to someone during this incident, the City of San Francisco is at a greater degree of fault for allowing this situation to develop. SOME system should have been in place to have prevented this incident from happening in the first place. At least two, and better yet three people, should have access to any critical passwords, etc. The City owned the equipment! The City owned the information! The City owns access to both equipment and information, not Terry Childs.

If this had been a private company, then Childs would have been in the wrong.
The point is, this was not a private company's network. It was a government network. Ultimately, the authority to make decisions about it rests with what is the maximum good for the citizens and people the network is made to serve; not any manager placed in charge of it or the people running it.
If you have reasonable doubt as to the competence of a supervisor or manager in your chain of command, you have the authority and the obligation to by-pass those people until you reach someone you can trust, or who can assume full ultimate authority for whatever happens.
Childs' evaluation of his manager and the people who were going to replace him on the job were absolutely correct; they were a group of totally incompetent boobs. Based on that evaluation, he had only 1 options; see the mayor, who had the ultimate authority. Even going public wouldn't have worked as in order to provide justification for his actions he'd have had to reveal enough to put the network at risk from outside hackers.
The jury did NOT have to find him guilty of a felony. They could have decided on jury nullification in this case. But then lawyers and judges conspire 99% of the time to not inform juries of that power.

The fact that he was able to basically hold the city hostage - it's not much "better" than sabotage. [and hacking]
If Childs had issues with network security, he properly should of notified his supervisors instead of changing passwords where he should of had access to from the beginning - even if the city didn't properly secure the area.
I hope Childs isn't stupid enough to complain about a job dismissal for no good reason!

Network admin was not the boss, nor was he a supervisor. This issue should have been dealt with years ago. the fist time he set something up and no one else could administer it, they should have nipped that in the but. Instead they left him alone to build the entire SF Fiber Wan system on his own? for years? I don't think it should be a felony unless he deleted other peoples accounts and blocked access. He did no such thing, he simpley never set anyone else up as an admin and management approved of this for years and years.

Having been a network administrator, I believe you not only have to responsibility to maintain passwords, you need to have the passwords accessible to a second party. Keeping passwords "IN ESCROW" meaning having them maintained in a secure location, so only authorized personnel can assess them is essential for business continuuity. The proverbial "BEING HIT BY A BUS" can apply to anyone. No one is so critical to an organization that they are indispensable. You hope, by your professional attitude, that you will provide value to the organization, and therefore be kept on. By withholding passwords, you are placing yourself more important than the organization that you serve. That just makes it worse for all us professionals who do a good job daily.

UNBELIEVABLE! What amazes me even more than this BUTT PLUG's attempt to hold the City hostage is the fact that SOME people dont believe he is GUILTY! HOW can ANYONE POSSIBLY even THINK this NUTJOB doesnt deserve JAIL/PRISON time? Could have been better procedures, sure. That does not change the fact HE (Childs) was unwilling to obey LAWFUL orders by his EMPLOYER (the CITY of SF). He could have easily taken any backup admin access off if he wanted unless he was placed at a lower level than someone above him. He is NOT GOD.. he is NOT the only person who can do this job. Another case of a paranoid, immature and most definately a "Mentally ILL" Network Admin trying to assert his POWER in a Self Absorbed & Self AGGRANDIZING stunt. You dont tell your superiors they cant do something because YOU dont think they have the knowledge or authority.. How ARROGANT! 10 years or more in prison.. to PUNISH him AND to get it across to the next numbnutzz who is considering the same thing. What it comes down to is TRUST.. an UNBELIEVEABLE amount of trust that our employers place in us to "DO THE RIGHT THING".. not some of the time.. but ALL OF THE TIME. That does NOT include being J@ck@$$ of the Decade by holding a critical network hostage. Its theoretically possible that lives COULD have been lost in a worst case scenario. I HATE it when people try to use "Situational Ethics"..

He thought he was going to lose his job and couldn't deal with the loss of the network he built himself. I think he was obsessed and out of control. He had his own little fiefdom.
Giving bogus passwords and withholding passwords from his management are the acts of a desperate man. DTIS owned the network, period. He forgot he was just an employee.
This case should be a very loud wake-up call to employers everywhere.
AV

is the guy involved accepted the people who were asking him for the passwords had the authority to change his job, and to even sack him. Yet he felt they had no authority to have the keys to that castle on kicking him out of it. Right, what sort of idiot says "You have power to change my job and sack me, but not right to have the keys I use."
He was looking for ways to make trouble, and he found one, and the trouble got bigger than he expected. He overstepped the line, and got hit from a great height. No sympathy from me.

It should never have gotten to legal action.
The people requesting the passwords, however p*ss'd off, should have obtained the appropriate authority.
Having said that, what was the appropriate authority Childs was after? Why the Mayor? (Please tell me it was actually Schwarzenegger!)
Perhaps Childs was suffering from Ownership or significance issues?
(This deep psychological insight provided to you completely free of interaction with, knowledge of, and other information related to Childs) :D

I have read lots of good points here and in most cases it boils down to your point of view.
My POV is that everyone involved in this case has done something wrong. Childs should not have been the only one with the password. The DTIS officials should have had a clear mandate to be authorised to obtain the passwords. It demonstrates the usual pathetic government planning (this not only applies to the US by the way).
The Penal Code mentioned in the article only mentions the denial of computer services. As far as I can see in reading about this case, that never happened. All the services were still available, Childs only denied access to unauthorised personnel (the essence of a system administrator's job).
Well it is all done but we need to learn from this case that nothing is cut & dry. We need to ensure that our systems are properly looked after.

The worst indictment was that he made himself the ONLY person with access to that information. Any diligent administrator would have at least one other person with the same level of access on the network in case he or she was unable to work, due to accident or illness.

In the past I've run into far too many situations where the delagation of authorities is very unclear. Family owned businesses are the worst.
I'm not entirely sure that the relating of events surrounding this incident and legal followups is entirely complete, so I reserve judgement, but I will make this comment:
When I contract with a company, two of the first questions I ask are 1) Who owns the data? and 2) Who owns the infrastructure? I get this in writing in one form or the other.
Then I go to the owners and ask who is authorized for administrator access. If the list is "too long", I advise that too many admins makes for poor security. That having been said, I then make sure the owners list of authorities is also put into print.
Anal maybe, but too many burns makes for pyrophobia.

is "Kafkaesque". Now, pay attention.
Childs has been convicted, but not yet sentenced. Many people expect his sentence to be time served (almost 2 years) plus probation.
And the fact is, you chose one sentence from an entire interview and are using it, out of context, to justify your opinion. You're also purporting to know what happened in the jury room, when you can have no possible idea outside your own speculation.
In my eyes, this serves to make your opinion less than educated.

Thank you for your reply, because it's a good example of why a conscientious worker might be hesitant to relinquish passwords to his boss.
First, if you're hiring workers to perform a specific task, then you'll probably get a lot of failures. I hire people for and I take on jobs to perform tasks AND to take on a degree of responibility, because I have experience that usually goes far beyond the simple task. It's truly the responsibilty that people pay me for and that's what I expect from an employee.
Secondly, I agree that the company owns the data and infrastructure, but what does that mean? You seem to imply by context that it means your boss has more right to it than you do. Does the tech sitting next to me own a piece of it too?
I've consulted on a high percentage of jobs where handing over security information to the person I'm reporting to would be very inappropriate, because they're pretty clueless about the details of their proper use.
My advice, which I had posted earlier, is for anyone who takes on a position where there are security issues entrusted to you, is to make very sure you know the chain of security (which make be different than the chain of authority). This might not even include your boss.
To fall back on the physical key analogy, when you leave your job, you might turn in your keys to your boss, but it may be much more appropriate to turn them in to security, or personnel, or the owner, or even the mayor.

just happened to be the system admin until just before this happened, and he refused to hand of the codes needed for his replacement to do the work. He refused to give back the keys, and he hadn't done the correct thing in having a list placed somewhere secure.

And had not been terminated he was within his responsibilities to refuse to hand Passwords over to a newly appointed HR Person, a Police Detective or a CISCO Employee. The only one who directly worked for the City here was HR and they certainly do not have the right to have Passwords or access to the Controls of something this complicated particularly when it is still in the Prototype stage.
Here even though HR may have the authority to terminate his employment and even that is debatable seeing that this is a Government Department they still [b]Do Not[/b] have the right to access the controls of the Optical Fiber WAN. I wouldn't consider giving Passwords to someone like that if it was a Production Environment but at the Prototype Stage where [b]Proof of Concept[/b] has just been fulfilled no one who asked Child's for the Passwords had the Authority to make that request. Even more so after the more Senior Management has previously refused to accept them to begin with.
I don't think that Child's is blameless here but he is just part of the entire problem that is a very bad situation that seems to be out of Control with no one accepting responsibility for the mess that they have made.
It's [b]Yes Minister[/b] all over. :^0
Col

Your handling is what most would see as 'appropriate' Due diligence and not zealousness to make a point.
Here is the larger question (fortunately not asked) what about the 'hit by a bus' scenario.
The city would have been scrambling for months??
Also note, guilty doesn't mean he has to rot in jail!

First, We all hire people to take on tasks and responsibility. That does not give you ownership of anything and does not give you the right to deny your Employer Administrative access to the data or infrustructure when asked for it.
Second, Yes, exactly right. Your Employer has more right to the access than you do. That is why he/she is your Employer. No, the tech sitting next to you does not own a piece of it, unless he happens to own the company, and neither do you. Again, it is not for you to judge the competence of you Employer. When your employer asks for the information to be handed over, you hand it over. I will agree on your fourth statement. In a security situation you had better well know the chain of command.

Keys may be given to other people, password may not. Especially not administrative password. Only a totally derailed policy may require something like that.
Password is personal thing, which goes with personal account, and is NEVER shared between people. Administrative rights (not necessarily all of them) are granted to personal account by another administrator, as needed, depending on the job the person is currently doing.
Root administrative password should ideally be used only once, when system is installed. It should be determined, written on paper and entered personally by some CxO. It should be impossible to remember. At that time, administrative rights are granted to the current administrator's personal accounts. Paper with root administrative password should then be put into sealed envelope, and locked in a strongbox. It should be used only in emergencies.

reports. After slicing out the hype, we end up with a situation where Childs was removed from a position, he was instructed to hand over all the keys to the castle - in this case, the passwords. He refused to do so. There were a large number of options available without refusing, the minimum to be write them down and put them in a sealed envelope for hand over.
Since it appears the passwords were never recorded anywhere else, he was not acting in a professional manner in a large organisation. One of the basics of security is the passwords to servers etc is to keep a copy of them in a secure file somewhere, usually typed and locked in a safe. he did nothing like this. If he had a heart attack, the entire system was at risk.
He accepted the HR people had the right to tell him he was out of that job, but refused to complete the required hand over tasks.
According to some reports, after this incident, he compounded the situation by accessing the systems remotely and setting them up so that those with the legal right for physical access were unable to reset the passwords.
Once he was removed from the position he had no right or responsibility to keep the passwords secret. He had plenty of witnesses that he was handing them over under duress and they would then have to take full responsibility for the outcomes. But he refused. It's just the same as refusing to hand over the keys to the front door upon being fired.
Yes, there's a lot of other issues that need to be addressed that came out of this incident, but Childs was clearly in the wrong, and he found out there are some weird laws that can affect him.
And yes, it's a Yes Prime Minister situation, but Childs did nothing to resolve it, he went out of his way to make it worse.

the case on the net. And I agree the charge was NOT the most appropriate. But, having been in a similar type situation myself, in the past, of being moved out and passing control of my pet project over to another - I know how much it hurts to hand over, but I did because I was being ordered to hand it over by those in authority above me.
You raise an interesting point where you say Childs wrote policies. As manager, and I'm sure you know this, any policies you write only have power and authority on those below you and to the extent they don't conflict with higher level policies, until such time as a higher authority approves them and says they apply to a wider group. Thus, any policy he wrote that restricts who he passes information onto, does not apply to higher level people until someone higher up the chain authorises to apply to them. Which makes his holding out in line with a policy he wrote but was not put in place by those above him, wrong.
As I said in another post on this thread, had I been in authority, I'd have just replaced the hardware and billed him for the cost of doing so. And probably carried out the required disciplinary proceedings to sack him for cause - not obey superior's orders. I'd have not bothered with the law courts, but the US people seem to think law courts first - in all things.

Mainly because you are wrong. Child's here did write the Policies that he required to pass on control of this system. He at no stage had any control over any computers as such just Routers that connected to the Fiber Optical WAN of the Cities. He never had access to any data directly and at best could only access Data flowing over the WAN when it was being tested.
The fact here that Child's wrote the Security Policies and that they where ignored and even deliberately lost to make the Cities case better should be investigated. Here the prosecution used a Scatter Gun Approach and charged him with every possible crime that they could even come close to thinking up. over 1,400 cases of Wire Fraud because he had Modems in place connected to the Routers so he could remotely administer them or reactivate them in the event of a Power Failure where the biggest sticking point to begin with. The fact that he was charged with crimes that are [b]Normal Business or Best Practices[/b] is what I find appalling. Also the fact that here the Prosecution listed 2/3 of the way into the Optical Fiber WAN in the Charges which where then published in the Press only goes to prove that Child's was right that no one in the City Bureaucracy was capable of securing this system down and keeping it secure.
Despite what has been claimed with the last report Child's was not transfered out of his position till after his arrest so up until he was arrested he was responsible for the System which was still in Prototype Stage and being developed to a usable system. The fact that the routers would not restart after a power outage wasn't so much to prevent people messing with them but to see what was required as Power Backup in the locations where they where individually located. It's pointless having the Backbone up and running if what is connecting to it to receive data in that location is down and not running. So as these things where being worked out they would have been changed to what is more commonly used in a Production Environment when the Power Backup Systems where all in place and found to be working to an adequate standard.
This WAN was just like the Jindale Over the Horizon Radar Project. The developers had [b]Proof of Concept[/b] with what was effectively a working scale model and those who bought into it thought all that they had to do was make things 100 times bigger and it would work without any development or bugs being found. We all know that id didn't work and the original Owners got sick and tired with the continual costs in Developing the system to a working unit from the Prototype and sold out.
Here the entire concept seems to be that no one with Authority [b]in the security protocols that Child's wrote[/b] asked Child's for the Passwords so he refused to hand them over. While I don't think he was overly bright in giving Fake passwords which incidentally was never claimed when this originally happened and was a sticking point in the trial was wrong. When placed in a position where unauthorized people ask for passwords you should refused to give them any not hand them fake ones.
Also if you look through the seized evidence that the Police gathered initially I think you'll not only find the Security Policies that Child's wrote and his management didn't want to know about but also the Access Codes which he claimed where in safes at his office and home where he did a lot of his work from. These where needed in the office in case anything happened at his home but they where also needed at his home as he did a lot of the reactivating of Routers from there when they went down. This was a major Claim by the Prosecution that he was accessing the Data on the WAN when he was originally charged because he had access to the Modems that could change the Routers seatings from home.
While I don't think Child's was overly bright here I still see the City Officials as far more wrong than anything that Child's did here and the entire thing is Political brought on by a Empire Building Bureaucrat who wanted something that they didn't have authority to have and didn't want in the past while this was in the early development stage. Only when it looked as if it was going to work better than what the Bureaucrats had been pushing to get the city to purchase did they want control of it and to remove Child's from that position. Unfortunately they never followed proper procedures so Child's didn't answer their requests.
The fact that the only charge he was found guilty of was to address people who broke into Computer Systems and not those charged with Administering them and keeping them secure is where I have a major Problem.
Col

Childs screwed it up, sure enough, but that should not be the reason to let his bosses off the hook. They screwed it up even more. Not having a security policy is unexcuseable. Not knowing a security policy is necessary is excuseable even less.

1. The fact Childs' bosses didn't write a hight level policy, makes it more important that he bring it to their attention - which he did not do. Even as it was his duty to write policy for the area of his responsibility, he was in a managerial position and required to set up management policies for his area of authority. Also, the fact of the failure of both sides in the policy areas, is not relevant to his refusing to carry out the instructions from his superiors about handing over the information.
edit to add 1b. Yes, Childs' seniors should have created policies and taken action to have suitable back up. But that does NOT excuse the actions of Childs in refusing to hand over the passwords and in refusing to follow the orders issued by a lawful authority. His bosses made a mistake, but he royally screwed the pooch by deliberately setting out to make the situation worse.
2. Keys and password. A password is a type of key and a subset of the key group, not a totally different group. Here's the definition from the Merriam Webster's Dictionary on-line, please note definitions 1b, 2a, 3, 10, and 11 - a key is a lot more than just the limited definition of 1a as you see it. from:
http://www.merriam-webster.com/dictionary/key
Quote
Main Entry: 1key
Pronunciation: \ˈkē\
Function: noun
Etymology: Middle English, from Old English c?̄g; akin to Old Frisian kēi key
Date: before 12th century
1 a : a usually metal instrument by which the bolt of a lock is turned b : any of various devices having the form or function of such a key
2 a : a means of gaining or preventing entrance, possession, or control b : an instrumental or deciding factor
3 a : something that gives an explanation or identification or provides a solution b : a list of words or phrases giving an explanation of symbols or abbreviations c : an aid to interpretation or identification : clue d : an arrangement of the salient characters of a group of plants or animals or of taxa designed to facilitate identification e : a map legend
4 a (1) : cotter pin (2) : cotter b : a keystone in an arch c : a small piece of wood or metal used as a wedge or for preventing motion between parts
5 a : one of the levers of a keyboard musical instrument that actuates the mechanism and produces the tones b : a lever that controls a vent in the side of a woodwind instrument or a valve in a brass instrument c : a part to be depressed by a finger that serves as one unit of a keyboard
6 : samara
7 : a system of tones and harmonies generated from a hierarchical scale of seven tones based on a tonic
8 a : characteristic style or tone b : the tone or pitch of a voice c : the predominant tone of a photograph with respect to its lightness or darkness
9 : a decoration or charm resembling a key
10 : a small switch for opening or closing an electric circuit
11 : the set of instructions governing the encipherment and decipherment of messages
12 : a free-throw area in basketball
end quote

... to gain access to computer. It's NOT the same thing.
A rough mechanical analogy to a password system is many doors leading to the same room. Each door is unlocked by different key, and used by one user only. Keys are not shared among users, there are no copies, each user has his own key. Key/lock pairs are changed frequently.
> Even if there were no such policies in place, he, as the sys admin for that system, should have written and got approval for proper policies, as that's one of the jobs of a sys admin. And Childs did not do that.
Childs's superiors should have known that, and had that policies written, one way or another, by Childs or somebody else. It doesn't matter whether they were technically clueless. Ignorantia juris non excusat. And it doesn't matter whether Childs was hit by a car, kidnapped by Mafia, or went nuts on his own- such situation shouldn't have occured, period, and it's City's fault that it did.

don't know what the policies were for the higher level organisation he was part of.
Even if there were no such policies in place, he, as the sys admin for that system, should have written and got approval for proper policies, as that's one of the jobs of a sys admin. And Childs did not do that.

we just choose to call them different words, they do the same thing.
Childs was, he claims, the system admin for the system, yet he never put in place any appropriate policies for the security of the system, he never suggested any to anyone, and he never provided back up systems - all things any half way decent system admin will do as a matter of course and standard operating procedures.
Childs was removed from the positions by his superiors in the organisations, and they ordered him to hand over all the controls to the system. Not only did he refuse to do so, he went out of his way to antagonise them. Once he was removed from the positions, he was legally and morally required to hand over all his physical and electronic keys to the system as he no longer had any legal reason to access it.
If you do not understand and agree with any of the above points, you should NOT be working in a positions as a system admin, or in any position of authority and power in any organisation other than your own personal business.

It's a bad analogy.
One person knowing the only password to the system- that simply shouldn't happen, no matter what.
Regardless of Child's conduct, motives, or verdict- the whole situation is a result of a stupid policy, and that's where the blame lies.

or passwords, he was transferred out of the position and no longer had any need to keep them, and was told by upper management to hand them over - and he refused. he was retaining what he had no right to keep any more.
Sorry for taking so long to reply, been out of circulation for a while with other matters.

although the denial might be intentional, it would be accidental and probably wouldn't have generated a court case at all. If anything fatal happens to Childs before this incident, and there are no stored passwords, the City of San Francisco starts over, from scratch, using whatever docs Childs left behind.

Passwords can be easily changed, and they should be changed on the regular basis. Mechanical equivalent of changing password is changing the key and the lock, which is not easy, and is seldomly done.
What you say is true if the password security is more rudimentary, if there is no hirearchy among administrators. More specifically, if it's not possible to set up an administrative account in such a way, that it can't be altered by other administrators.

set of sys admin passwords, they ARE handed over to the boss or the next sys admin as you leave, if not before. It is then up to the next sysy admin to change them. In most organisations, all sys admin passwords to core hardware are written down and kept locked in a safe, in case something happens to the sys admin and another must get into the system while they are unavailable, like on leave.
This guy did NOT record them anywhere on paper, he refused to give them to his boss, he refused to give them to his replacement sys admin when relieved of duty. This is the electronic equivalent of locking the doors and destroying the only keys.
If he had set up sys admin access for his boss and had the boss enter a password, then your arguement may have some support, but this idiot had the ONLY set of sys admin passwords.
Personally, I think they should have just billed him for a whole set of replacement routers, and the time to set them up, and just pull them out of the system and hand them to him, since he felt they were his property, and not the property of those who'd paid for them.

... Childs had a fatal accident, became seriously ill, suffered amnesia, or some other mental condition? Who would be convicted? Contingencies must be taken into account, no matter how disagreeable they might be.
> And only one person?Childs?took the actions leading to the situation in which he finds himself today: convicted and waiting for sentencing.
The worst enemy of the IT professional is his/her own inflated ego. Having too much power over IT infrastructure is a double-edged sword. It's bad for everyone- the owners of the IT, and the IT pro. One is never enough careful in the matters like these. When writing financial or gambling applications, even stating your name in the source code comment can potentially get you into trouble. You can never know in who's hands your sources are going to end.

And none of which was done, in this case.
Only one person–Childs–had admin access. Only one person–Childs–knew all the passwords. And only one person–Childs–took the actions leading to the situation in which he finds himself today: convicted and waiting for sentencing.